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This paper concerns state-based systems that interact with their environment at physically distributed interfaces, 
| called ports. When such a system is used a projection of the global trace, called a local trace, is observed at each 
• port. This leads to the environment having reduced observational power: the set of local traces observed need not 
^v^j | uniquely define the global trace that occurred. We consider the previously defined implementation relation C s and 
start by investigating the problem of defining a language C(M) for a multi-port finite state machine (FSM) M such 
that N \— s M if and only if every global trace of N is in C(M). The motivation is that if we can produce such 
a language C{M) then this can potentially be used to inform development and testing. We show that C{M) can 
be uniquely defined but need not be regular. We then prove that it is generally undecidable whether N C s M , a 
consequence of this result being that it is undecidable whether there is a test case that is capable of distinguishing two 
states or two multi-port FSM in distributed testing. This result complements a previous result that it is undecidable 
whether there is a test case that is guaranteed to distinguish two states or multi-port FSMs. We also give some 
conditions under which N C s M is decidable. We then consider the implementation relation that only concerns 
input sequences of length k or less. Naturally, given FSMs N and M it is decidable whether N \— k s M since only a 
finite set of traces is relevant. We prove that if we place bounds on k and the number of ports then we can decide 
OA ■ N M in polynomial time but otherwise this problem is NP-hard. 

in ; 

00 ; 

^ 1 Introduction 

T-H . 

Many systems interact with their environment at multiple physically distributed interfaces, called ports, with 
. , web-services, cloud systems and wireless sensor networks being important classes of such systems. When we test 
■ a system that has multiple ports we place a local tester at each port and the local tester at port p only observes 
^ \ the events at p. This has led to the (ISO standardised) definition of the distributed test architecture in which we 
have a set of distributed testers, the testers do not communicate with one another during testing, and there is no 
global clock [23] . While it is sometimes possible to make testing more effective by allowing the testers to exchange 
coordination messages during testing [H [31] , this is not always feasible and the distributed test architecture is 
typically simpler and cheaper to implement. Importantly, the situation in which separate agents (users or testers) 
interact with the system at its ports can correspond to the expected use of the system. 

Distributed systems often have a persistent internal state and such systems are thus modeled or specified using 
state-based languages. In the context of testing the focus has largely been on finite state machines (FSMs) and 
input output transition systems (IOTSs). This is both because such approaches are suitable and because most 
tools and techniques for model-based testing transform the models, written in a high-level notation, to an FSM or 
IOTS 5, 12, 1 3] [TTJ [34] . Model-based testing has received much recent attention since it facilitates test automation, 
the results of a recent major industrial project showing the potential for significant reductions in the cost of testing 
fTTjl. 



1 ln model-based testing, test automation is based on a model of the expected behaviour of the system or some aspect of this 
expected behaviour. 
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Figure 1. A controllability problem caused by input x' 



This paper concerns problems related to developing a multi-port system based on a (multi-port) FSM model/specification. 
Much of the work in the area of distributed testing has focussed on FSM models [Jj HI [lOj [24j |32j [36] , although there 
has also been work that considers more general models such as IOTSs and variants of IOTSs [TU [37J 1201 HI HI] ■ 
While IOTSs are more expressive, this paper explores decidability and complexity issues in distributed testing 
and so we restrict attention to finite state models and, in particular, to multi-port FSMs. Naturally, the negative 
decidability and complexity results proved in this paper extend immediately to IOTSs. 

When a state-based system interacts with its environment there is a resultant sequence of inputs and outputs 
called a global trace. When there are physically distributed ports the user or tester at a port p only observes the 
sequence of events that occur at p, the projection at p of the global trace, and this is called a local trace. It is known 
that the local testers only observing local traces introduces additional issues into testing [71 ID1 [TD1 [HI |3"71 12~?1 13"2l I36j . 

Previous work has shown that distributed testing introduces additional controllability and observability prob- 
lems. A controllability problem occurs when a tester does not know when to supply an input due to it not observing 
the events at the other ports [321 E] - Consider, for example, the global trace shown in Figure [T] We use diagrams 
(message sequence charts) such as this to represent scenarios. In such diagrams vertical lines represent processes 
and time progresses as we go down a line. In this case the system under test (SUT) has two ports, 1 and 2, we 
have one vertical line representing the SUT, one representing the local tester at port 1, and one representing the 
local tester at port 2. There is a controllability problem because the tester at port 2 should send input x' after y 
has been sent by the SUT but cannot know when this has happened since it does not observe the events at port 1 

Observability problems refer to the fact that the observational ability of a set of distributed testers is less than 
that of a global tester since the set of local traces need not uniquely define the global trace that occurred [ID] . 
Consider, for example, the global traces a and a' shown in Figures [5] and [3] respectively. These global traces are 
different but the local testers observe the same local traces: in each case the tester at port 1 observes xyxy and the 
tester at port 2 observes y' . Recent work has defined new notions of conformance (implementation relations) that 
recognise this reduced observational power of the environment [16, 20 . These implementation relations essentially 
say that the SUT conforms to the specification if the environment cannot observe a failure. When using such 
implementation relations, we do not have to consider observability problems: if a global trace a of the SUT is 
observationally equivalent to one in the specification then a is considered to be an allowed behaviour since a set 
of distributed testers or users would not observe a failure. 

Given multi-port FSMs N and M, there are two notions of conformance for situations in which distributed 
observations are made: weak conformance (Q w ) and strong conformance (E s )- Under C w , it is sufficient that for 
every global trace a of N and port p there is some global trace o~ p of M such that a and o~ p are indistinguishable 
at port p; they have the same local traces at p. In contrast, under C s we require that for every global trace a of N 
there is some global trace a' of M such that a and a' are indistinguishable at all of the ports. To see the difference, 
let us suppose that there are two allowed responses to input Xi at port 1: either y\ at port 1 and yi at port 2 



2 



msc MSC2 

Tester 1 SUT Tester 2 































Figure 2. Global trace a. 
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(forming global trace a) or y[ at port 1 and y' 2 at port 2 (forming global trace a') . Under Q w it is acceptable 
for the SUT to respond to x\ with y\ at port 1 and y' 2 at port 2 since the local trace at port 1 is x%yi, which is 
a projection of a, and the local trace at port 2 is y' 2 , which is a projection of a'. However, this is not acceptable 
under C s since there is no global trace of the specification that has projection x\yi at port 1 and projection y' 2 at 
port 2. 

One of the benefits of using an FSM to model the required behaviour of a system that interacts with its 
environment at only one port is that there are standard algorithms for many problems that are relevant to test 
generation. For example, we can decide whether there are strategies (test cases) that reach or distinguish states 
[5] and such strategies are used by many test generation algorithms [TJ [HI H5J [23 HE1 [35J • In addition, if we have 
an FSM specification M and an FSM design N then we can decide whether N conforms to M. Thus, if we wish to 
adapt standard FSM test techniques to the situation where we have distributed testers then we need to investigate 
corresponding problems for multi-port FSMs. Recent work has shown that it is undecidable whether there is a 
strategy that is guaranteed to reach a state or distinguishes two states of an FSM in distributed testing [18]. 
However, this left open the question of whether one can decide whether one FSM conforms to another. It also left 
open the related question of whether it is decidable whether there is a strategy that is capable of distinguishing 
two FSMfl 

This paper concerns the problem of deciding, for multi-port FSMs M and N, whether N conforms to M. Clearly, 
this can be decided in low order polynomial time for C. w : for each port p we simply compare the projections of N 
and M at p. However, \— w will often be too weak since it assumes that we can never have the situation in which 
an agent is aware of observations made at two or more ports. We therefore focus on the implementation relation 

We start by investigating the question of whether, given a multi-port FSM M, we can define a language C(M) 
such that for every multi-port FSM TV we have that N C s M if and only if all global traces of N are in C(M). If 
we can define such an C(M) then there is the potential to explore properties of this in order to find algorithms for 
deciding N C s M for classes of N and M. There is also the potential to base testing and development on C{M). 
It has already been shown that we can produce such a language C{M) for the special case where we restrict testing 
to controllable input sequences and are testing from deterministic FSMs [17]. We prove that C(M) is uniquely 
defined but need not be regular. 

We then consider the problem of determining whether N C s M for multi-port FSMs JV an Af and prove that 
this is generally undecidable. We also give some conditions under which N C s M is decidable. Clearly, this 
problem is important when we are checking an FSM design against an FSM specification. In addition, N C s M if 
no possible behaviour of N can be distinguished from the behaviours of M . Thus, since it is undecidable whether 
N C s M it is also undecidable whether there is a test case that is capable of distinguishing two states or FSMs. 
This complements the result that it is undecidable whether there is a test case that is guaranteed to distinguish 
two states or FSMs [15] . However, the proofs use very different approaches: the proof of the previous result [18] 
used results from multi-player games while in this paper we develop and then use results regarding multi-tape 
automata. Note that many traditional methods for testing from an FSM use sequences that distinguish between 
states, in order to check that a (prefix of a) test case takes the SUT to a correct state [T] [TSJ [25] [35J. The 
results in this paper and in [18] suggest that it will be difficult to adapt such techniques for distributed testing. 
In addition, we can represent a possible fault in the SUT by an FSM N formed by introducing the fault into the 
specification FSM M: the results in this paper show that it is undecidable whether there is a test case that can 
detect such a 'fault', and thus also whether it represents an incorrect implementation. 

Since it is undecidable whether N C s M , we define a weaker implementation relation that only considers 
sequences of length k or less. This is relevant when we know a bound on the length of sequences in use or we 
know that the system will be reset after at most k inputs have been received. For example, a protocol might have 
a bound on the number of steps that can occur before a 'disconnect' happens. Naturally, it is decidable whether 
N C* M since we only have to reason about finite sets of global traces. We prove that if we place a bound on k 
and the number of ports then we can decide whether N M in polynomial time but the problem is NP-hard if 
we do not have such bounds. 

This paper is structured as follows. Section [2] provides preliminary definitions. Section [3J then investigates the 
problem of defining a language C(M) such that for every multi-port FSM N we have that N C s M if and only if 
all global traces of N are in C(M). In Section [4] we prove results regarding multi-tape automata that we use in 

2 It is decidable whether there is a strategy that is capable of reaching a given state of an FSM. 
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Section [3] to prove that it is generally undecidable whether TV C s M. Section [5] also gives conditions under which 
N C s M is decidable. In Section [6] we then explore C*. Finally, in Section [7] we draw conclusions and discuss 
possible lines of future work. 

2 Preliminaries 

This paper concerns the testing of state-based systems whose behaviour is characterised by the input/output 
sequences (global traces) that they can produce. Given a set A we let A* denote the set of sequences formed from 
elements of A and we let e denote the empty sequence. In addition, A + denotes the set of non-empty sequences 
in A*. Given sequence a e A* we let pref(a) denote the set of prefixes of a. We are interested in finite state 
machines, which define global traces (input/output sequences). Given a global trace a = x\jy\ . . . Xk/yk, in which 
Xi, . . . ,Xk are inputs and y\, . . . ,yk are outputs, the prefixes of a are the global traces of the form x\/y\ . . . Xj/yj 
with j < k. 

In this paper we investigate the situation in which a system interacts with its environment at n physically 
distributed interfaces, called ports. We let V — {1, . . . ,n} denote the names of these ports. Then a multi-port 
FSM M is defined by a tuple (S, so, I, O, h) in which S is the finite set of states, so G S is the initial state, / is 
the finite input alphabet, O is the finite output alphabet, and h is the transition relation. The set of inputs is 
partitioned into subsets 1\ , . . . , /„ such that for p e V we have that I p is the set of inputs that can be received at 
port p. Similarly, for port p we let O p denote the set of output that can be observed at p. As is usual [5J EH ISH GS3 
we allow an input to lead to outputs at several ports and so we let O = ((Oi U { — }) x ... x (O n U { — })) in which 
— denotes null output. We can ensure that the I p and also the O p are pairwise disjoint by labelling input and 
output with the port name, where necessary. We let Act = I U O denote the set of possible observations and for 
p E V we let Act p — I p U O p denote the set of possible observations at port p. 

The transition relation h is of type S x / <h> S x O and should be interpreted in the following way: if (s',y) s 
h(s, x), y = (zi, . . . , z n ), and M receives input x when in state s then it can move to state s' and send output z p 
to port p (all p € V). This defines the transition (s, s', x/y), which is a self-loop transition if s = s' . Since we only 
consider multi-port FSMs in this paper, we simply call them FSMs. The FSM M is said to be a deterministic 
FSM (DFSM) if \h(s,x)\ < 1 for all s e S and x e I. 

An FSM M is completely-specified if for every state s and input x, we have that h(s, x) ^ 0. A sequence 
(si, S2i x i/yt){ s 2: s 3) #2/2/2) ■ • ■ (sk,Sk+ik, Xk/yk) of consecutive transitions is said to be a path, which has starting 
state si and ending state Sk+i- This path has label X\jy\ . . . x^/y^, which is called a (global) trace. Further, 
x% . . . Xk and y\ . . . yk are said to be the input portion and the output portion respectively of x\/y\ . . . Xk/yu- A 
path is a cycle if its starting and ending states are the same. The FSM M defines the regular language L(M) of 
the labels of paths of M that have starting state sq. Given state s S S of M we let Lm(s) denote the set of global 
traces that are labels of paths of M with starting state s, and so L(M) = Lm{sq). We say that M is initially 
connected if for every state s of M there is a path that has starting state sq and ending state s. Throughout this 
paper we assume that any FSM considered is completely-specified and initially connected. Where this condition 
does not hold we can remove the states that cannot be reached and we can complete the FSM by, for example, 
either adding self-loop transitions with null output or transitions to an error state. 

At times we will use results regarding finite automata (FA) and so we briefly define FA here. A FA M is defined 
by a tuple (S, Sq, X, h, F) in which S is the finite set of states, Sq G S is the initial state, X is the finite alphabet, 
h is the transition relation, and F C S is the set of final states. The transition relation has type S x (X U {r}) x S 
where r represents a silent transition that is not observed. The notions of a path and its label, which does not 
include instances of r, correspond to those defined for FSMs and so are not defined here. The FA M defines the 
language L(M) of labels of paths that have starting state sq and an ending state in F. 

For a global trace a and port p E V let 7t p (ct) denote the local trace formed by removing from a all elements 
that do not occur at p. This is defined by the following rules in which a is a global trace (see, for example, [H]). 
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Given a set A of global traces and port p we let tt p (A) denote the set of projections of sequences in A. Thus, 

TTp(A) = {TTp(a)\(T S A}. 

In the distributed test architecture, a local tester at port p e V only observes events from Act p . Thus, two 
global traces a and a 1 are indistinguishable if they have the same projections at every port and we denote this 
a ~ a'. More formally, we say that a ~ a' if for all p G we have that 7rp(cr) = ir p (a'). 

Given an FSM M, we let £(M) denote the set of global sequences that are equivalent to elements of L(M) under 
~. These are the sequences that are indistinguishable from sequences in L{M) when distributed observations are 
made. Previous work has defined two conformance relations for testing from an FSM that reflect the observational 
power of distributed testing [16] . In some situations the agents at the separate ports of the SUT will never interact 
with one another or share information with other agents that can interact. In such cases it is sufficient for the 
local trace observed at a port p to be a local trace of M. This situation is captured by the following conformance 
relation. 

Definition 1 Given FSMs N and M with the same input and output alphabets and the same set of ports, N C. w M 
if for every global trace a £ L(N) and port p there exists some a p € L(M) such that Tr p (o- p ) — Tr p (a). N is then 
said to weakly conform to M . 

However, sometimes there is the potential for information from separate testers to be received by an external 
agent. For example, there may be a central controller that receives the observations made by each tester and thus 
knows the projection of the global trace at each port. This leads to the following stronger conformance relation. 

Definition 2 Given FSMs N and M with the same input and output alphabets and the same set of ports, N C s M 
if for every global trace a S L(N) there exists some a' € L(M) such that a' ~ a. N is then said to strongly conform 
to M. 

It is straightforward to see that given FSMs TV and M we have that TV C s M if and only if L(N) C C(M). It is 
also clear that TV C s M implies that TV Q w M. In order to see that C s is strictly stronger than Q w it is sufficient 
to consider the FSMs M\ and TVi shown in Figure 2J Clearly we do not have that TVi C s Mi since Mi has no 
global trace equivalent to x\/(y\, y' 2 ) under ~. However, for every global trace a of TVi and port p there is a global 
trace a' of Mi such that ir p (o-) = n p (a'). Thus, we have that TVi C„ Mi. 

3 Test models for conformance 

In this section we investigate the problem of defining a language C(M) for an FSM M such that TV C s M if 
and only if L(N) C C(M). The motivation is that if we are developing the SUT from M and we do have some 
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Figure 5. DFSM M 4 



such £(M) then we can use standard approaches to refine £(M). In addition, if in testing we wish to test for C s 
but we can connect the local testers to form a global tester then we should compare the global traces of the SUT 
with C(M): if we compare the global traces from the SUT with L(M) then we could lead to the SUT N being 
declared faulty even if N C s M. It would be particularly useful if we could find an FSM or IOTS M' such that 
L(M') = C(M); we could then test N against M' using normal test methods and the usual conformance relation 
(trace inclusion). 

We start by considering the language C(M). Clearly, we have that N Q s M if and only if L(N) C C(M). 
However, if we can represent C(M) using an FSM or IOTS then for every a £ C(M) and a' S pre(a) we must have 
that a' e C{M): C(M) must be prefix closed. 

Proposition 1 The language C{M) need not be prefix closed. 
Proof 

Consider a DFSM M such that x\/{y\,y?)xi/{y\,—) £ L(M). Then C(M) contains Xi/(yi, — )x\/{y\, 2/2) but 
xi/(yi, — ) ^ C{M) and so £(M) is not prefix closed. □ 
The languages defined by FSMs and IOTSs are prefix closed and so we know that C(M) cannot always be 
represented by such a model. However, the languages defined by finite automata need not be prefix closed. Thus, 
Proposition [T] does not preclude the possibility of representing the C(M) using finite automata, however, the 
following does. It is already known from Mazurkiewicz trace theory that, where some elements of an alphabet 
commute (i.e. ab = ba) the set of sequences equivalent to those defined by a FA need not be regular (see, for 
example, [5]). It is straightforward to show that this also holds for FSMs. 

Proposition 2 Given FSM M, the language C(M) need not be regular. 
Proof 

Consider the FSM M4 shown in Figure [5] and let L — C{M$). Proof by contradiction: assume that L is a regular 
language. 

Let L' be the set of global traces in which all outputs are ( — , — ). Clearly L' is a regular language. Thus, since 
L is regular we must have that L" = L D L' is regular. The language L" is the set of global traces from C{M^) 
that have null output. Thus, L" is the set of all global traces with inputs drawn from {xi,^} and that have null 
output and in which the number of instances of xi is either equal to the number of instances of x\ or is one less 
than this. However, this language is not regular, providing a contradiction as required. □ 

We have that C{M) has the property we want (N C s M if and only if L(N) C C(M)) but that £(M) need not 
be regular. The observation that C(M) is not prefix closed tells us that it can contain strings that are in no L(N) 
for an FSM or IOTS N such that N C s M. It seems natural to remove these global traces. 



Definition 3 Given FSM M let C pc {M) denote the set of global traces from C(M) whose prefixes are also in 
C(M). More formally, C pc (M) = {a e C(M)\pre{a) C £{M)}. 
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Proposition 3 Given FSMs M and N we have that N C s M i/ and only if L(N) C £ pc (M). 



Proof 



In forming C pc (M) we only remove from £(M) a global trace <r if some of its prefixes are not in C(M), and so a 
cannot be a global trace of an FSM N such that N C s M . The result therefore follows from the fact that N C s M 



Clearly, C pc (M) C C(M) and so it is natural to ask whether there remain any global traces in C pc (M) that 
cannot appear in FSMs that conform to M under C s . 

Proposition 4 Given an FSM M and global trace a G C pc (M) there exists an FSM N such that N C s M and 
a G L(N). Further, this is true even if we restrict N to being deterministic. 



Let a be a global trace of length k and so a = X\jy\ . . . Xk/yk for some x\, . . . ,Xk £ I and yi, . . . , yk G O. For all 
1 < i < k let ai denote the prefix of a with length i. We will construct an FSM N' in the following way. First, 
define an initial state s' and for every 1 < i < k we define a state and add the transition (s' i _ 1 , s^, Xi/yi). 

Since a S £ pc (M), for each state s' i; 1 < i < k, we choose a (not necessarily unique) state of M, which we call 
Si, that is reached from the initial state of M using a global trace a[ ~ <7j. We add a copy of M to the structure 
already defined and will use transitions to the states of this copy of M in order to complete N'. 

First, we add the transition (s' k _ 1 ,Sk,Xk/yk) so if we follow a by further input in N' then we will obtain a 
followed by a global trace a' from Sf. in M. For all 1 < i < k, x G I \ {xi}, and (s',y) G h(si-i,x), we add the 
transition (s^_i, s', x/y). Every global trace in N 1 is either a global trace of M or is UiO 1 for a cr, (which is in 
£(M)) and a global trace cr' such that a' G Lm(si) and so er G £(Af). Further, it is clear that there is some DFSM 
N such that L(N) C L(iV') and ct G L(JV). Thus, iV is a DFSM with L(N) C L(iV') C £(M) and so we have that 
N' Q s M as required. □ 

Thus, C pc (M) is the smallest language such that TV C s M if and only if L(N) C £ pc (M) and so it appears to 
be the language we want. 

Figure M shows two FSMs M and M' such that M' = C pc {M). Since M' = C pc (M), for an FSM we have 
that N Q s M if and only if L(N) C L(M'). This works because the only global traces that are in C(M) but not 
L(M) are those in the form (a;i/(yi, — ))*X2/(— , 2/2)(( x i/(2/ii — )) + x ^l{~ > V2))* an( i these are included in L(M'). 

We have shown that we are required to keep all of the sequences in C pc (M). Now we show that if L = L(M') 
for some FSM M' and we have that C pc (M) C L(M') then the language L(M') is too large. We do this by proving 
that there can be a reduction N of M' that does not conform to M under C s and this is the case even if we restrict 
N to be deterministic. 



if and only if L(N) C C{M). 
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Proposition 5 Given an FSM M, if L' = L(M') for some FSM M' and C pc (M) C L' then there is an FSM N 
such that L(N) C V but we do not have that N C s M. Further, this result holds even if we restrict N to being 
deterministic. 

Proof 

Since C pc (M) C L' there is some global trace a <E L(M') \ C pc (M). Since V = L(M') for an FSM M', it is clear 
that there exists a DFSM N such that L(N) C L' and a e L(N). 

It is now sufficient to observe that a and all of its prefixes are in L(N) and since a ^ C pc (M) we must have 
that at least one of these sequences is not in C(M). □ 

Thus, the language we are looking for must contain C pc {M) and if we restrict attention to languages defined by 
FSMs, then the language cannot contain any additional global tracefl Unfortunately, however, C pc {M) need not 
be regular. 

Proposition 6 The language C pc (M) need not be regular. 
Proof 

We will use the FSM M5 shown in Figure [71 Proof by contradiction: assume that C pc (M^) is regular. 

Let L' denote the regular language (x 2 /(— , — ))*(xx/(— , — ))*. Consider the language C(M 5 ) n L', which is the 
set of sequences of the form (x2/(— , —))*(xi/(—, — ))* where the number of instances of x 2 can be at worst one 
less than the number of instances of x\. This is prefix closed since each element of C(M$) D L' starts with all of 
its instances of X2/(—, — )■ Clearly £(M 5 ) n L' is not regular. 

Since £(M 5 ) n V is prefix closed, £ pc (M 5 ) D V = £{M 5 ) fl V . As a result, we know that C pc (M 5 ) n V is not 
regular. But V is regular and so if C pc {M^) was regular then C pc {M^) n V would also be regular. This provides 
a contradiction as required. □ 

We therefore obtain the following result. 

Theorem 1 Given an FSM M there need not exist an FSM M' with the -property that for all FSMs N we have that 
N \— s M if and only if L{N) C L(M'). In addition, this result holds even if we restrict attention to deterministic 
N. 

Proof 

By Propositions 2] and [5] we know that we must have that L(M') = C pc (M). The result thus follows from 
Proposition O □ 
If C pc (M) is regular then there is a corresponding FSM. It would thus be interesting to explore conditions under 
which C pc (M) is guaranteed to be regular and also properties of C pc (M) when this is not regular. There may also 
be scope to represent C pc {M) using an IOTS. 

3 We can easily extend the proofs to more general formalisms such as IOTSs. 
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4 Conformance and multi-tape automata 

While we can decide (in polynomial time) whether N Q w M, this is quite a weak conformance relation since it 
does not allow us to bring together local traces observed at the separate ports. It seems likely that normally the 
implementation relation C s will be more suitable and so we consider the problem of deciding whether N C s M. 
In this section we study the problem of deciding language inclusion for multi-tape automata; in Section [5] we use 
the results proved here regarding multi-tape automata to show that it is generally undecidable whether N Q s M 
for FSMs M and N. We first define multi-tape FA [30] . 

Definition 4 An r-tape FA with disjoint alphabets E i7 1 < i < r is a tuple (S, So,E,/i, F) in which S is a finite 
set of states, So S S is the initial state F C S is the set of final states and h : S x U£ =1 Ej X S is the transition 
relation. Then A accepts a tuple (w±, . . . , ity) £SJx...xEJ if and only if there is some sequence a S (Ui=i ^»)* 
that takes A to a final state such that ~Ki{a) = W{ for all 1 < i < r. We let C(N) denote the set of tuples accepted 
by N. 

Given a multi-tape FA N with r tapes, we will let L(N) denote the language in (Ei U . . . U E r )* of the 
corresponding FA. We obtain L(N) by treating N as a FA with alphabet E = Ei U . . . U E r . 

It might seem that deciding whether N C s M is similar to deciding whether, for two multi-tape FA N' and M', 
the language defined by N' is a subset of that defined by M'. This problem, regarding multi-tape FA, is known to 
be undecidable [SU]. However, the proof of the result regarding multi-tape FA uses FA in which not all states are 
final and in FSMs there is no concept of a state not being a final state. Thus, the results of [3D] are not directly 
applicable to the problem of deciding whether N C s M for FSMs N and M and it appears that the corresponding 
problem, for multi-tape FA in which all states are final, has not previously been solved. In this section we prove 
that language inclusion is generally undecidable for multi-tape FA in which all states are final states. Before we 
consider decidability issues, we investigate the corresponding languages and closure properties. 

Proposition 7 Let us suppose that N± = (S, sq, hi, S) and N 2 = (Q,qa-,h 2 ,Q) are multi-tape FA with the same 
number of tapes and the same alphabets and also that all of the states of N\ and N2 are final states. Then we have 
the following. 

1. There exists a multi-tape FA M such that C(M) — C(N%) U £(^2) and all of the states of M are final states. 

2. There exists a multi-tape FA M such that C(M) — C(Ni)C(N 2 ) and all of the states of M are final states. 

3. There may not exists a multi-tape FA M such that C(M) — C(N\) \ C{N2) and all of the states of M are 
final states. 

4- There may not exists a multi-tape FA M such that C(M) = C(Ni) D £(^2) and all of the states of M are 
final states. 

Proof 

We will use A © B, for sets A and B, to denote the disjoint union of A and B. For the first result it is sufficient 
to define the FA (S © Q © {^o}, ?' , h', S © Q © {r }) for r S © Q, in which h is the union of hi and hi plus the 
following transitions: for every (so,a, s) G hi we include in h' the tuple (ro,a, s); and for every (qo,a,q) 6 hi we 
include in h! the tuple (ro, a, q). 

For the second part, it is sufficient to take the disjoint union of N\ and N% and for every transition (s, s', a) of 
Ni add a transition (s, qo 7 a). 

For the third part, it is sufficient to observe that for any choice of N± and N2 we have that the empty sequence 
is in jC(Ni) and C(N 2 ) and so not in C(Ni) \ C(N 2 ). Thus, it is sufficient to choose any Ni and N 2 such that 
C(Ni) \ C(N 2 ) is non-empty. 

For the last part, let us suppose that we have two tapes with alphabets {ai} and {02}, let L(Ni) — {e, a%, aia 2 } 
and let L(N 2 ) = {e, a 2 , a 2 a{\ and so C{N\) fl C{N 2 ) = {e, aia 2 , a 2 ai}. □ 

We will use Post's Correspondence Problem to prove that language inclusion is undecidable. 

Definition 5 Given sequences ai, . . . ,a m and /?i,...,/3 m over an alphabet E, Post's Correspondence Problem 
(PCP) is to decide whether there is a sequence ix, . . . of indices from [1, m] such that . . . cti k = (3^ . . . j3i k . 
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Figure 8. Finite Automaton M 



It is known that Post's Correspondence Problem is undecidable |29j . 

Theorem 2 Post's Correspondence Problem is undecidable. 
We now prove the main result from this section. 

Theorem 3 Let us suppose that N and M are multi-tape FA in which all states are final states. The following 
problem is undecidable, even when there are only two tapes: do we have that C(N) C C(M) ? 

Proof 

We will show that if we can solve this problem then we can also solve Post's Correspondence Problem. We therefore 
assume that we have been given an instance of the PCP with sequences ai, . . . , a m and Pi, ... , (3 m with alphabet E. 
To allow elements of E to be on both tapes we use two disjoint copies, Si = {fi(a)\a 6 E} and E2 = {/2(a)|a G E}, 
of E. Given a sequence x% . . . x, and j G {1, 2} we let /^(cci . . . x*) denote fj(xi) . . . fj(xi). 

We consider multi-tape automata with two tapes with alphabets Ei U {x,x'} and E2 respectively, where x, x' 
are chosen so that they are not in Ei UE2. We let N denote an FA such that L(N) is the language that contains all 
sequences in the regular language x{{fi{cei 1 )f2(Pi 1 ) + ••• + {fx{ c *i k )f2{Pi k ))*x l and all prefixes of such sequences. 
Clearly, such an FA N exists. Consider all sequences in C(N) that contain an x and an x' and let a a and be the 
sequences in the two tapes with x and x' removed. Then we must have that a a is of the form fx (a^ ) ... fx (a.i k ) 
and o~b is of the form /2(Ai) • ■ • f2{fii k ) with ix, ■ ■ ■ ,ik £ [1, m]. In addition, all such combinations correspond to 
sequences in L(N). Thus, there is a solution to this instance of the PCP if and only if C(N) contains a tuple 
(xa a x\ o~b) in which a a = Ob- 

The FA M that defines language L(M) is shown in Figure [5] in which (a, — ) denotes elements all of the form 
fx (a) and (— ,a) denotes all elements of the form /2(a), a e E. Further, (a, b) denotes sequences of the form 
/i(a)/2(&) with a, b £ E and a^b. We use (a, a) to denote sequences of the form fx{a)f2{a) with a £ E. In all 
cases where we have sequences with length 2, this represents a cycle of length 2. 

Now consider the problem of deciding whether C(N) C £(Af). Specifically, we will focus on the problem of 
deciding whether C(N) is not a subset of C{M) and so £(iV) \ C(M) is non-empty. First, note that in C(M) we 
have: 
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1. The language defined by paths that pass through si contains all tuples of the form (xfi(wi), f 2(11)2)) or 
(x fi(w\)x' , f 2(102)) such that Wi,wi G £* and w\ is a strict prefix of W2- 

2. The language defined by paths that pass through S3 contains all tuples of the form (xfi(w±), f 2(11)2)) or 
(x fi(wi)x' , f 2(102)) such that u>i,W2 G £* and W2 is a strict prefix of u>i. 

3. The language defined by paths that pass through S2 contains all tuples of the form (xfi(wiW3), /^(wzWi)) or 
(xfi(wiW3)x\ f2(w2ii>4:)) in which w\ G £* and 102 G £* have the same length, w± ^ W2, and W3, W4 G S*. 

4. The language defined by paths that do not leave sq contains all tuples of the form (xf\(w), f 2(111)). 

Consider tuples in C(M) that do not contain x 1 and thus tuples of the form (xfi(wi), f 2(102)) in which w±,W2 G 
£*. Then paths that pass through s\ define all such tuples in which wi is a strict prefix of W2 and paths that 
pass through S3 define all such tuples in which W2 is a strict prefix of w\. In addition, paths that do not leave 
so define all such tuples in which wi = 1112 and paths that pass through S2 define all such tuples in which w\ and 
W2 differ after a (possibly empty) common prefix. Thus, L(M) defines all tuples of the form (x fi(wi), f 2(11)2)) in 
which wi, W2 G £* and so all tuples in C(N) that do not contain x' are also in C(M). 

Now, consider the tuples in C(M) that contain x 1 . These are of the form (xf\(wi)x' , f 2(102)) and are defined by 
paths that pass through si, S2 and S3. By examining the languages defined by paths that pass through these states 
we find that C(M) contains the set of tuples of this form in which w\ ^ 102- Thus, £(N) \ C(M) is non-empty if 
and only if C(N) contains a tuple of the form (xfi(w)x' , f2(w)). But we know that this is the case if and only if 
there is a solution to this instance of the PCP and so the result follows from Theorem O □ 

For the sake of completeness, we now prove some additional decidability results regarding multi-tape automata 
in which all states are final. 

Theorem 4 Let us suppose that N and M are multi-tape FA in which all states are final states. The following 
problem is undecidable, even when there are only three tapes: do we have that C(N) D C(M) contains a non-empty 
sequence. 

Proof 

We assume that we have been given an instance of the PCP with sequences ot\, . . . ,a m and /3 m with 

alphabet £ and follow an approach similar to that used in the proof of Theorem [3] To allow elements of £ on two 
tapes we use two copies of elements of £ and let £1 = {fi(a)\a G £} U {x}, £2 = {f2(o)\a G £}, and £3 = {x'}. 
Given a sequence a\, . . . , a.; G £* and j G {1, 2} we let fj(a% . . .ai) denote fj(a\) . . . fj(ai). 

We consider multi-tape automata with three tapes with alphabets £1, £2, and £3. We let N denote such 
an FA such that L(N) contains all tuples formed by sequences in the regular language x((f\(ai 1 )f2(Pi 1 ) + . . . + 
(fi(oti k ) f2(Pi k )) + x' and all prefixes of such sequences. Note that xx' is not contained in L(N). In addition, we let 
M denote the multi-tape automaton defined by the following: 

1. There is a transition from so to state si and this has label 2/; 

2. For all a G £ there is a cycle starting and ending at si with label fi(a)f2(a); 

3. There is a transition from si to S2, not involved in the cycles, with label x. 

4. There are no transition from S2. 

Thus, all elements of C(M) are either (e, e, e) or contain x' . As a result, if there is a non-empty element of 
C(N) n L(M) then this must contain both x and x' . It is now sufficient to observe that this is the case if and only 
if there is a solution to this instance of the PCP. □ 

Finally, we prove that equivalence is undecidable for multi-tape FA in which all states are final states. 

Theorem 5 Let us suppose that N and M are multi-tape FA in which all states are final states. The following 
problem is undecidable, even when there are only two tapes: do we have that C(N) = C(M) ? 
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Proof 

First observe that given sets A and B we have that A C B if and only if AUB — B. Let us suppose that we have two 
multi-tape automata Ni and N2 with the same numbers of tapes and the same alphabets and assume that all states 
of Ni and N2 are final states. By Proposition [7] we know that we can construct a multi-tape automaton N3 such 
that C(N 3 ) — C(Ni) U C(N 2 ) and all states of N 3 are final states. Thus, if we can decide whether C(N) = C{M) 
for two multi-tape FA that have only final states then we can also decide whether C{N\) U C(N2) = £(-^2) for 
two multi-tape FA that only have final states. However, this holds if and only if C(N{) C £(^2). The result thus 
follows from Theorem [3] □ 
We now show how we can represent the problem of deciding language inclusion for multi-tape FA in terms of 
deciding whether N \Z S M for suitable FSMs N and M. 

5 Deciding Strong Conformance 

We have proved some decidability results for multi-tape FA in which all states are final states. However, we are 
interested in FSMs and here a transition has an input/output pair as a label. We now show how a multi-tape FA 
can be represented using an FSM (with multiple ports) before using this result to prove that N C s M is generally 
undecidable for FSMs N and M. 

In order to extend Theorem[3]to FSMs we define a function that takes a multi-port finite automaton and returns 
an FSM. 

Definition 6 Let us suppose that N = (S, so, E, h, S) is a FA with r tapes with alphabets Si, . . . , E r . We define 
the FSM J-(N) with r + 1 ports as defined below in which for all 1 < p < r we have that the input alphabet of N 
at p is E p and the output alphabet is empty and further we have that the input alphabet at port r + 1 is empty and 
the output alphabet at r + 1 is {0, 1}. In the following for a G {0, 1} we use at to denote the k-tuple whose first 
k — 1 elements are empty and whose kth element is a. 

J-~(N) = (S U {s e }, So, E, {0 n -|_i, hf) i> n which s e S, for all z G E we have that h'(s e ,z) — {(s e ,0 r +i)} 

and for all s G S and z G E we have that h'(s, z) is defined by the following: 

1. Ifh(s,z) = S' then h'(s,z) = {(s', l r+ i), (a 1 , r +l)\s' G S'}; 

2. Ifh{s,z) = then h'{s,z) = {(s e ,0 r+ i)}. 

The idea is that while following a path of N the FSM J-{N) can produce either or 1 at port r + 1 in response 
to each input but once we diverge from such a path the FSM can then only produce (at r + 1) in response to an 
input. 

Lemma 1 Let us suppose that N and M are r-tape FA with alphabets Ej, . . . , E r . Then C(N) C C(M) if and 
only ifT(N) C s JF(M). 

Proof 

First assume that -F(iV) C s and we are required to prove that C(N) C C(M). Assume that a G C(N) and 

so there exists some a' ~ a such that a' G L(N). Since a' G L(N) we have that L(J 7 (N)) contains the global trace 
p' in which the input portion is a' and each output is l r +i. Since J~(N) C s J~(M) we must have that there is some 
p" G L(J r (M)) such that p" ~ p' . However, since the outputs are all at port r + 1 and the inputs are at ports 
1, . . . , r we must have that p" has output portion that contains only l r +\ and input portion a" for some a" ~ a'. 
Thus, we must have that a" G L(M). Since a ~ a 1 and a 1 ~ a" we must have that a G C{M) as required. 

Now assume that C(N) C C(M) and we are required to prove that F(N) C s F(M). Let p be some element of 
L{J-{N)) and it is sufficient to prove that p G C(J-(M)). Then p = P1P2 for some maximal P2 such that all outputs 
in p 2 are r+ i. Let the input portions of p\ and p 2 be o~\ and CT2 respectively. By the maximality of p 2 we must 
have that p\ is either empty or ends in output l r +i. Thus, cri G L(N) and so, since C(N) C C(M), there exists 
ctj ~ cr 1 with (jj G L{M). But this means that M can produce the output portion of p\ in response to o~[ and so 
there exists p[ G L(F(M)) with p' x ~ p\. By the definition of F(M), since all outputs in p 2 are r +i we have that 
p' = P1P2 G L{F(M)). The result therefore follows from observing that p' = p\pi ~ /O1P2 = P- D 
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Theorem 6 The following problem is undecidable: given two multi-port FSMs N and M with the same alphabets, 
do we have that N C s M ? 

Proof 

This follows from Lemma [T] and Theorem [3] □ 
When considering FSM M with only one port, we represent the problem of deciding whether two states s and s' 
of M are equivalent by comparing the FSMs M s and M s /, formed by starting M in s and s' respectively. However, 
we also have that the general problem is undecidable. 

Theorem 7 The following problem is undecidable: given a multi-port FSM M and two states s and s' of M , are 
s and s 1 equivalent. 

Proof 

We will prove that we can express the problem of deciding whether multi-port FSMs are equivalent in terms of 
state equivalence. We therefore assume that we have multi-port FSMs Mi and M 2 with the same input and output 
alphabets and we wish to decide whether Mi an M 2 are equivalent. Let Sqi and so 2 denote the initial states of 
Mi and M 2 respectively. We will construct an FSM M in the following way. We add a new port p and input x p 
at p. The input of x p in the initial state sq of M moves M non-deterministically to either soi or S02 and produces 
no output. All other input in state Sq moves M to a state s' ^ s , that is not a state of Mi or M 2 , from which 
all transitions are self-loops. The input of x p in a state of Mi or M 2 leads to no output and no change of state. 
Now we can observe that a sequence in the language defined by starting M in state Soi, i £ {0, 1}, is equivalent 
under ~ to a sequence from £(Mj) followed by a sequence of zero or more instances of x p . Thus, Soi and S02 are 
equivalent if and only if Mi and M 2 are equivalent. The result thus follows from Theorem [5] and the fact that if 
we can decide equivalence then we can also decide inclusion. □ 
We now consider problems relating to distinguishing FSMs and states in testing. We can only distinguish 
between FSMs and states on the basis of observations and each observation, in distributed testing, defines an 
equivalence class of ~. 

Definition 7 It is possible to distinguish FSM N from FSM M in distributed testing if and only if C(N) % C{M). 
Further, it is possible to distinguish between FSMs N and M in distributed testing if and only if C(N) % C(M) 
and C(M) % C(N). 

The first part of the definition says that we can only distinguish N from M in distributed testing if there is some 
global trace of N that is not observationally equivalent to a global trace of M, The second part strengthens this 
by requiring that we can distinguish N from M and also M from N. The following is an immediate consequence 
of Theorem [6l 

Theorem 8 The following problems are generally undecidable in distributed testing. 

• Is it possible to distinguish FSM N from FSM M ? 

• Is it possible to distinguish between FSMs N and M ? 

Similar to the proof of Theorem [JJ we can express the problem of distinguishing between two FSMs as that of 
distinguishing two states s and s' of an FSM M. Thus, the above shows that it is undecidable whether there is 
some test case that is capable of distinguishing two states of an FSM or two FSMs. This complements a previous 
result [18] , that it is undecidable whether there is some test case that is guaranteed to distinguish two states or 
FSMs. 

Finally, we give conditions under which equivalence and inclusion are decidable. The first uses the notion of a 
Parikh Image of a sequence |27j . Given a sequence a £ E*, where we have ordered the elements of E as ai, . . . , a m , 
the Parikh Image of a is the tuple (xi, . . . , x m ) in which for all 1 < i < m we have that a contains Xi instances of 
Given a set A of sequences, the Parikh Image of A is the set of tuples formed by taking the Parikh Image of 
each sequence in A. 

There are classes of languages where the Parikh Image of the language is guaranteed to be a semi-linear set. A 
linear set is defined by a set of vectors vq, . . . , Vk that have the same dimension. Specifically, the linear set defined 
by vq, . . . , Vk and is the set of + niVi + . .. + nkVk where m, . . . , nu are all non-negative integers. A semi-linear 
set is a finite union of linear sets. 
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Proposition 8 Let us suppose that multi-port FSMs N and M have the same input and output alphabets and that 
for each port p GV we have that \Act p \ < 1. Then it is decidable whether N C s M. 

Proof 

Since for all p G V we have that |*4ci p | < 1, for each a G Act* we have that a is equivalent under ~ to all 
its permutations. Thus, the Parikh Image of a sequence in L(N) or L{M) uniquely defines the corresponding 
equivalence class. Thus, N C s M if and only if the Parik Image of L(N) is a subset of the Parikh Image of L(M). 
However, these Parikh Images are semi-linear sets and it is decidable whether one semi-linear set is a subset of 
another (see, for example, [25J. The result thus follows. □ 
We now consider the case where each transition produces output at all ports. 

Proposition 9 Let us suppose that M is an FSM in which all transitions produce output at all ports. Then 
N C s M if and only if L(N) C L(M). 

Proof 

First observe that if N C s M then each transition of N must also produce output at every port. Consider a 
sequence a G L(M) U L(N) that contains k inputs. Since every transition produces output at all ports, for a port 
p we have that tt p ((t) contains k outputs with each input Xi at p being between the output produced at p by the 
previous input and the output produced at p in response to Xi. Thus, given sequences a, a' G L(N) U L{M) we 
must have that a' ~ a if and only if a' = a. The result therefore holds. □ 

6 Bounded conformance 

We have seen that it is undecidable whether two FSMs are related under C s . However, we might use a weaker 
notion of conformance where we only consider sequences of length at most k for some k. This would be relevant 
when the expected usage does not involve sequences of length greater than k since, for example, the system will 
be reset after at most k inputs. In this section we define such a weaker implementation relation and explore the 
problem of deciding whether two FSMs are related under this. 

First, we introduce some notation. We let IOk denote the set of global traces that have at most k inputs. In 
addition, for an FSM N we let Lh(N) = L(N) D IOk denote the set of global traces of N that have at most k 
inputs. We can now define our implementation relation. 

Definition 8 Given FSMs N and M with the same input and output alphabets, we say that N strongly k- conforms 
to M if for all a G Lfc(iV) there exists some a 1 G L(M) such that a' ~ a. If this is the case then we write N M. 

Clearly, given N and M it is decidable whether TV \Z k s M: we can simply generate every element of Lk(N) and 
for each a G Lk(N) we determine whether a G C(M). The following shows that this can be achieved in polynomial 
time if we have a bound on the number of ports. We use a result from Mazurkiewicz trace theory. In Mazurkiewicz 
trace theory an independence graph is a directed graph where each vertex of the graph represents an element of 
Act and there is an edge between the vertex representing a G Act and the vertex representing b G Act if and only 
if ab and ba are equivalent; a and b are said to be independent [5]. Thus, for FSMs we have that a and b are 
independent if and only if they are at different ports. 

Lemma 2 Given a sequence a G IOk and FSM M with n ports, we can decide whether a G C{M) in time of 

o(M»). 

Proof 

The membership problem for a sequence a and rational trace language with alphabet £ and independence relation 
I can be solved in time of 0{\a\ a ) where a is the size of the largest clique in the independence graph [3]. Since each 
observation is made at exactly one port and two observations are independent if and only if they are at different 
ports, we have that the maximal cliques of the independence graph all have size n and so a — n. The result 
therefore follows. □ 

Theorem 9 If there are bounds on the value of k and the number n of ports then the following problem can be 
solved in polynomial time: given FSMs N and M with at most n ports, do we have that NQ k s M? 
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Proof 

First observe that the number of elements in Lk(N) is of 0(q k ), where q denotes the maximum number of transitions 
leaving a state of N. Thus, since k is bounded, the elements in Lk{N) can be produced in polynomial time. It 
only remains to consider each a in Lk(N) and decide whether it is in C(M). However, by Lemma [U this can be 
decided in polynomial time. The result therefore follows. □ 
Thus, if we have bounds on the number of ports of the system and the length of sequences we are considering 
then we can decide whether N M in polynomial time. However, the proof of Theorem [9] introduced terms that 
are exponential in n and k and so it is natural to ask what happens if we do not place bounds on these values. It 
transpires that the problem is then NP-hard even for DFSMs, the proof using the following. 

Definition 9 Given boolean variables z% , . . . , z T let C\, . . . ,Ck denote sets of three literals, where each literal is 
either a variable Zi or its negation. The three-in-one SAT problem is: does there exist an assignment to the boolean 
variables such that each Cj contains exactly one true literal. 

The three-in-one SAT problem is known to be NP-complete [33] . 

Theorem 10 The following problem is NP-hard: given k and completely specified DFSMs N and M, do we have 
that N M ? 

Proof 

We will show that we can reduce the three-in-one SAT problem to this and suppose that we have variables 
Z\, . . . , z r and clauses C\, . . . , C q . We will define a DFSM M\ with r + q + 2 ports, inputs Z—i, zq, z\, . . . , z r at 
ports — 1, 0, 1, . . . , r and outputs y%, . . . , y r + q at ports 1, . . . , r + q. We count ports from —1 rather than 1 since the 
roles of inputs at —1 and will be rather different from the roles of the other inputs. 

DFSM Mi has four states So, Si,S2, S3 in which so is the initial state. The states effectively represent different 
'modes' and we now describe the roles of s\ and S2- In state s\ an input at port p, 1 < p < r, will lead to output 
at all of the ports corresponding to clauses with literal z p . In state S2 an input at port p, 1 < p < r, will lead to 
output at all of the ports corresponding to clauses with literal ^z p . The input zq moves M\ from s\ to S2. The 
special input z~i takes M% from state sq to state s\. 

Overall, input zq does not produce output and only changes the state of Mi if it is in state si, in which case it 
takes M to state S2- Input Z-\ does not produce output and only changes the state of M\ if it is in state sq, in 
which case it takes M\ to state s\. 

For an input z p with 1 < p < r there are four transitions: 

1. From state si there is a transition that, for all 1 < j < fc, sends output y r +j to port r + j if Cj contains 
literal z p and otherwise sends no output to port r + j. The transition sends no output to ports — 1, . . . , r and 
does not change state. 

2. From state S2 there is a transition that, for all I < j < k, sends output y r +j to port r + j if Cj contains 
literal ->z p and otherwise sends no output to port r + j. The transition sends no output to ports — 1, . . . , r 
and does not change state. 

3. From state sq there is a transition to state S3 that produces no output. 

4. From state S3 there is a transition to state S3 that produces no output. 

Now consider the global trace a that starts with input sequence z^.\ZqZ\ . . . z r -\ and then has input z r producing 
the outputs y r +i ■ ■ ■ Vr+q', all outputs are produced in response to the last input. Clearly we do not have a € L(M\). 
We now prove that a g C{M{) if and only if there is a solution to the instance of the three-in-one SAT problem. 
Consider the problem of deciding whether there exists a' 6 L(M\) such that a' ~ a. Clearly the first input in a' 
must be z_i. Each input z p is received once by the DFSM and these can be received in any order after z_i. Thus, 
for all 1 < p < r we do not know whether z p will be received before or after zq in a' . If z p is received before zq 
then an output is sent to all ports that correspond to clauses that contain literal z p . If z p is received after zq then 
an output is sent to all ports that correspond to clauses that contain literal ~^z p . Thus there exists a' € L(Mi) 
such that er' ~ er if and only if there exists an assignment to the boolean variables z\,...,z r such that each Cj 
contains exactly one true literal. 
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We now construct DFSMs TV and M such that N M if and only if a e £(Mi). In the following we assume 
that r > 1 and let <j\ be the global trace formed from a by replacing the prefix z^\ZqZ\ by z\z^\Zq. Thus, o\ ~ er. 
We form AT from Mi by adding a new path that has label o\. We add state s 3 such that the input of z\ in state 
so leads to state S3 (instead of S3) and no output. From s 3 we add a transition with label zq to another new state 
S4. We repeat this process, adding new states, until we have a path from s with label z\z§Z-\z<iZ-i . . . z r -\ ending 
in state s' r+3 . We then add a transition from s' r+3 to s' r+4 with input z r and the outputs y r +i, ■ ■ ■ , y r + q - Finally, 
we complete N by adding a transition to S3 with input z p and null output from a state s'j if there is no transition 
from s'j with input z p . Clearly, L(N) = L(M\) U pref{a\)I* . Let o' x be defined such that o\ — z\o' x . We can 
similarly form an FSM M from Mi such that L(M) = L{M\) U pref({zi}I{a[})I* . Since each I p contains only 
one input we have that {zi}/{(Ti}/* and define the same sets of equivalence classes under ~. Thus, the 

equivalence classes of pref{a\)I* and pref({zi}I{a[})I* under ~ differ only in the one that contains o\ and we 
know that o\ ~ a. We therefore have that N M, for k > r + 1, if and only if a 6 £(Mi) and we know that 
this is the case if and only if the instance of the three-in-one SAT problem has a solution. The result follows from 
the thrcc-in-one SAT problem being NP-hard. □ 

Naturally, the results in this section are also relevant when we are looking for tests of length no longer than k 
that distinguish states or FSMs. 

7 Conclusions 

There are important classes of systems such as cloud systems, web services and wireless sensor networks, that 
interact with their environment at physically distributed ports. In testing such a system we place a local tester at 
each port and the local tester (or user) at port p only observes the events that occur at p. It is known that this 
reduced observational power, under which a set of local traces is observed, can introduce additional controllability 
and observability problems. 

This paper has considered the situation in which there is a finite state machine (FSM) model M that acts as the 
specification for a system that interacts with its environment at physically distributed ports. We considered the 
implementation relation C s that requires the set of local traces observed to be consistent with some global trace 
of the specification. We investigated the problem of defining a language C(M) such that we know that N C s M if 
and only if all of the global traces of N are contained in £(M). We showed that C{M) can be uniquely defined 
but need not be regular. 

We proved that it is generally undecidable whether N C s M even if there are only two ports, although we also 
gave conditions under which this is decidable. An additional consequence of this result is that it is undecidable 
whether there is a test case (a strategy for each local tester) that is capable of distinguishing two states of an FSM 
or two FSMs. This complements earlier results that show that it is undecidable whether there is a test case that 
is guaranteed to distinguish between two states of an FSM or two FSMs. While these results appear to be related 
the proofs relied on very different approaches: the earlier result looked at the problem in terms of multi-player 
games while this paper developed and used results regarding multi-tape automata. 

Since it is generally undecidable whether N \Z S M we defined a weaker implementation relation under which 
we only consider input sequences of length k or less. This is particularly relevant in situations in which it is known 
that input sequences of length greater than k need not be considered since, for example, the system must be reset 
before this limit has been reached. We proved that if we place a bound on k and the number of ports then we can 
decide whether N M in polynomial time but otherwise this problem is NP-hard. 

There are several avenues for future work. First, there is the problem of finding weaker conditions under which 
we can decide whether A^ C s M. In addition, it would be interesting to find conditions under which C(M) can 
be constructed. There is also the problem of extending the results to situation in which we can make additional 
observations; for example, we might consider languages such as CSP in which we can also observe refusals. Finally, 
one of the motivations for this work was the problem of deciding whether there is a test case that is capable 
of distinguishing two states of an FSM and, despite this being undecidable, it would be interesting to develop 
heuristics for this problem. 
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